Honeypots mailing list archives
Re: Unusually problems with honeywall
From: Stephan Holtwisch <shfh () immutec com>
Date: Mon, 27 Mar 2006 05:16:26 +0200
Hi Ivica, i am pretty much in the same situation as you, i am writing a thesis about Honeynets as well and also use Roo as a starting point. The p0f Startup script is broken in that it reads 2 variables instead of one, however the Process starts neverless. So that is more a cosmetic issue. I cant really help you with that other issue, havent encountered it yet, but what strikes me about Roo is its total lack of actually usable documentation. I mean the User Manual is all nice and dandy but it doesnt help at all when you start designing a Honeynet with Roo. I am not sure what the State of Version 2 of Roo is, but that is definately a point that needs to be worked on. As it is now, you have to dig into the Scripts yourself to see what the Variables are used for, just to find out that the Description in honeywall.conf is misleading at best and in some cases is plain wrong. For example: # This Honeywall's public IP address(es) # [Valid argument: IP address | space delimited IP addresses] HwHPOT_PUBLIC_IP=10.0.0.20 Is very very bad in multiple meanings. First of all its not the "Honeywall's public IP address", since the Honeywall doesnt have any IP-Adresses, its a Bridge, and the Management Interface is treated seperately. If you are clever you may get the actually Meaning from the Variable name "HPOT", saying its an IP-Address of a Honeypot. But even then you dont know why it is declared at all (i assumed every traffic is monitored at the internal interface and after all i defined HwLAN_IP_RANGE too). If you eventually dig into the scipts you may find that it has something to do with the dynamic Setup of the Firewall Rules. The honeywall.conf Scipts also makes the Reader believe you could setup the external Bridge Interface a Management Interface as well, which theoretically is possible but not so in Roo. I am very well aware that Roo is not a commercial product but it defeats the purpose of aiming to be easy to maintain and install if you have to check everything yourself to get it working correctly. Personally i think it might be wise to clean up the Basic Documentation to the Fundamentals first before designing a neat HTML-Interface that at the end of the day is just an editor to honeywall.conf, which is sadly, very suboptimal. Best regards, Stephan Holtwisch
From: "Ivica Maric" <imaravk () gmail com> To: honeypots () securityfocus com Subject: Unusually problems with honeywall Hi all! My name is Ivica Maric and I am undergraduate student of Faculty of Electrical Engeneering and Computing (www.fer.hr), Zagreb, Croatia. My diplomma thesis is Honeynet and its usage in the real world. I installed Honeynet CD (latest roo release) from www.honeynet.org to one computer. Another computer is honeypot (Windows 2000). Honeywall contains 3 network interfaces-eth0, eth1, eth2 where eth2 is managment interface. I have read Honeywall CDROM Online manual, some whitepapers linked to honeypot concept etc. I have few problems with my configuration: First problem is with yum update: i update first roo-base (to bypass bug #423), after that I update entire honeywall (yum update). After system rebooted p0f (Passive OS fingerprinting) service is [FAILED]. I don't know why that happens. Second problem: When I remove Snort or Snort_inline rule from Walleye interface Snort and Snort_inline does not work anymore. I got [FAILED] at boot time. Third problem: My honeywall monitoring not only honeypot, but also another computers that are active on the network. I presume that is not desirable behavior. I properly connected honeypot, trough switch, to eth1 (internally interface) and eth0 to public network. I appreciate any assistance or advice! Thank you for your time! Best regards, Ivica Maric FER (www.fer.hr) Zagreb Croatia
Current thread:
- Unusually problems with honeywall Ivica Maric (Mar 23)
- <Possible follow-ups>
- Re: Unusually problems with honeywall Earl Sammons (Mar 27)
- Re: Unusually problems with honeywall Stephan Holtwisch (Mar 27)